Timeline :

PoC provided by :

Reference(s) :

Affected version(s) :

MySQL 5.0
MySQL 5.1
Other ?

Tested on Centos 5.8 x86 with :

MySQL Server version 5.0.95 Source distribution

Description :

An attacker with access to a MySQL database through a user having some specific privileges, will be allowed, through this vulnerability to create a MySQL administrator user. The created user specified in the PoC script is by default “rootedbox2″ with “rootedbox2″ as password.

Share this:

Timeline :

Vulnerability discovered by Sergei Golubchik in April 2012
Bug reported to vendor by Sergei Golubchik the 2012-04-06
Public release of the vulnerability the 2012-06-09
Metasploit PoC provided the 2012-06-11

Reference(s) :

Affected version(s) :

Tested on Centos 5 with :

MySQL 5.5.21

Description :

Oracle has release, the 21 March, two new versions of MySQL, version 5.5.22 and 5.1.62. These versions have fix two bugs #13510739 and #63775 how are considered as security fixes. But no impact details of these bugs are provided and the bugs report are closed.
Unfortunately for Oracle the two new versions were shipped with a development script “mysql-test/suite/innodb/t/innodb_bug13510739.test” in order to test the fix of the vulnerabilities, a PoC provided by Oracle. The bugs cause a denial of service of MySQL “ON HANDLER READ NEXT AFTER DELETE RECORD“. All the details are available in the script or on the upper Pastebin link.